<html>
<head><meta charset="utf-8"><title>CVE assignment by RustSec · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html">CVE assignment by RustSec</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="210662557"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/210662557" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#210662557">(Sep 20 2020 at 11:33)</a>:</h4>
<p>It has been raised in <a href="https://github.com/RustSec/advisory-db/pull/389">https://github.com/RustSec/advisory-db/pull/389</a> that some processes (e.g. Debian) assume a CVE will be published for a vulnerability; and if it is not, they will miss it.<br>
I think we could dramatically up our game if we manage to automatically assign CVEs for incoming reports. It is obviously easier to plug RustSec into CVE somehow than to get everyone who already uses CVE to add extra automation for RustSec. <br>
I'm looking into what it takes to become a "CVE Numbering Authority" - an entity that can assign CVE numbers - and it's actually surprisingly easy: <a href="https://cve.mitre.org/cve/cna.html#new_cna_onboarding">https://cve.mitre.org/cve/cna.html#new_cna_onboarding</a><br>
Thoughts?</p>



<a name="210800127"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/210800127" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#210800127">(Sep 21 2020 at 21:07)</a>:</h4>
<p>I tried it before and never got a response</p>



<a name="210800128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/210800128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#210800128">(Sep 21 2020 at 21:07)</a>:</h4>
<p>best of luck</p>



<a name="229482962"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229482962" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229482962">(Mar 09 2021 at 14:15)</a>:</h4>
<p>I'm wondering, are the CVEs are filed or not?</p>



<a name="229485184"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229485184" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229485184">(Mar 09 2021 at 14:29)</a>:</h4>
<p>answered here: <a href="https://github.com/RustSec/advisory-db/pull/389">https://github.com/RustSec/advisory-db/pull/389</a></p>



<a name="229485834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229485834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229485834">(Mar 09 2021 at 14:33)</a>:</h4>
<p>RustSec doesn't file for CVEs ourselves, sometimes reporters or other folks file for them and then we note them (when we're told)</p>



<a name="229486022"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229486022" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229486022">(Mar 09 2021 at 14:34)</a>:</h4>
<p>thanks, just curious, what about DWF ids?</p>



<a name="229486139"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229486139" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229486139">(Mar 09 2021 at 14:35)</a>:</h4>
<p>Same deal. We don't allocate any IDs besides the RUSTSEC- ones.</p>



<a name="229583665"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229583665" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229583665">(Mar 10 2021 at 00:51)</a>:</h4>
<p>Technically CVE allows third-party numbering authorities, so we _could_ get a range allocated to us. Last time Tony tried that he hasn't received a reply, though.<br>
I think that also requires confidential disclosure which we do not currently provide (all pull requests for advisories are public).</p>



<a name="229583741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229583741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229583741">(Mar 10 2021 at 00:52)</a>:</h4>
<p>More resources here: <a href="https://cve.mitre.org/about/documents.html#cna_onboarding">https://cve.mitre.org/about/documents.html#cna_onboarding</a></p>



<a name="229648006"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229648006" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229648006">(Mar 10 2021 at 12:27)</a>:</h4>
<p>I found that this might be one avenue: <a href="https://iwantacve.org/">https://iwantacve.org/</a></p>



<a name="229651324"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229651324" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229651324">(Mar 10 2021 at 12:51)</a>:</h4>
<p><a href="https://iwantacve.org/">https://iwantacve.org/</a> is not really suitable for bulk submissions, and their turnaround time is rather large (~weeks).</p>



<a name="229657614"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229657614" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229657614">(Mar 10 2021 at 13:29)</a>:</h4>
<p>what is the current turnaround time for comparison?</p>



<a name="229658139"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658139" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658139">(Mar 10 2021 at 13:32)</a>:</h4>
<p>^^ with the legacy CVE service</p>



<a name="229658219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658219">(Mar 10 2021 at 13:33)</a>:</h4>
<p>0-48 hours has been roughly my experience with MITRE.</p>



<a name="229658283"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658283" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658283">(Mar 10 2021 at 13:33)</a>:</h4>
<p>With maybe 3-6 being the median.</p>



<a name="229658508"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658508" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658508">(Mar 10 2021 at 13:34)</a>:</h4>
<p>is there anything else, other than stonewalling from mitre, causing rustsec to hesitate in using CVEs?</p>



<a name="229658841"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658841" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658841">(Mar 10 2021 at 13:36)</a>:</h4>
<p>I don't know if other feel this way, but to me issuing RUSTSEC advisories ATM is very easy as a maintaining. I review a PR, I click merge, its all automated. Unless there's a similarly automated way to acquire CVEs, I'm disinclined to do it as a matter of policy.</p>



<a name="229658973"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229658973" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229658973">(Mar 10 2021 at 13:37)</a>:</h4>
<p>do we know who is consuming rustsec advisories?</p>



<a name="229659126"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229659126" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229659126">(Mar 10 2021 at 13:38)</a>:</h4>
<p>the systems I'm familiar with are engineered to consume CVEs</p>



<a name="229659713"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229659713" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229659713">(Mar 10 2021 at 13:41)</a>:</h4>
<p><code>cargo audit</code> consumes rustsec advisories.</p>



<a name="229659714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229659714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229659714">(Mar 10 2021 at 13:41)</a>:</h4>
<p>There is a great deal of processes already existing around CVEs. For example, security teams of Linux distributions monitor CVEs almost exclusively, and have the time for very little other work.</p>



<a name="229659982"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229659982" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229659982">(Mar 10 2021 at 13:43)</a>:</h4>
<p>A requirement that we do not currently meet is "There must be a terms of service document", but I think that's it. If we can automate CVE assignment as well, I don't see any reason not to do it. I think CVE is just JSON in git nowadays anyway.</p>



<a name="229660031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229660031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229660031">(Mar 10 2021 at 13:43)</a>:</h4>
<p>if not DWF literally is just this</p>



<a name="229660174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229660174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229660174">(Mar 10 2021 at 13:44)</a>:</h4>
<p>"Have little time for other work" is about the volume of vulnerabilities, not the number of feeds in my experience. All the linux distros have automation that pulls the CVE feeds into issue trackers or other tools, adding other feeds wouldn't be the hard part.</p>
<p>Adding a bunch more vulnerabilities that they need to patch is the hard part.</p>
<p>This is a problem much bigger in scope than RUSTSEC. A tiny fraction of fuzzing security issues from OSS-Fuzz ever get CVEs. When I brought this up on the oss-security mailing list, a lot of people were afraid that if we got CVEs for every buffer-overflow and UAF it'd basically break the system, there'd be too much insecurity. Which is of course already true.</p>



<a name="229660416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229660416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229660416">(Mar 10 2021 at 13:45)</a>:</h4>
<p>I guess what I'm saying is that if someone has an idea of how to get CVEs (or DWF, or any other ID) in a way that won't make life harder for the folks maintaining RUSTSEC, I'm in favor. But I'm not super motivated by this.</p>



<a name="229660546"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229660546" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229660546">(Mar 10 2021 at 13:46)</a>:</h4>
<p><a href="https://security.googleblog.com/2021/02/launching-osv-better-vulnerability.html">https://security.googleblog.com/2021/02/launching-osv-better-vulnerability.html</a> is another related thing, attempting to aggregate across multiple data sources</p>



<a name="229661289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229661289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229661289">(Mar 10 2021 at 13:50)</a>:</h4>
<p>Hmm, we could partner with OSV relatively easily. We already track all the version data precisely, after all.</p>



<a name="229662073"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229662073" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229662073">(Mar 10 2021 at 13:54)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec/near/229659714">said</a>:</p>
<blockquote>
<p>There is a great deal of processes already existing around CVEs. For example, security teams of Linux distributions monitor CVEs almost exclusively, and have the time for very little other work.</p>
</blockquote>
<p>I think an issue currently is distros are packaging rust crates with known security vulns but since these aren't CVE formatted [and therefore not consumed by automated systems] the vulns aren't being tracked against the packages</p>



<a name="229663884"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229663884" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229663884">(Mar 10 2021 at 14:03)</a>:</h4>
<p>CVEs are not really consumed by automated systems regardless. They are not sufficiently structured to be machine-readable in the sense that would be useful for Linux distros. And the problem is actually even deeper than that because of Rust's static linking...</p>



<a name="229663895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229663895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229663895">(Mar 10 2021 at 14:03)</a>:</h4>
<p>That said, I recognize that while CVE alone will not fix all the issues, it would probably still be an improvement.</p>



<a name="229664970"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229664970" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229664970">(Mar 10 2021 at 14:09)</a>:</h4>
<p><span class="user-mention" data-user-id="281739">@oliver</span> the unfortunate reality is that RustSec maintainers are volunteers and have their hands full already. It's hard to take on another project like CVE bridging even though it's clear that it would be beneficial.<br>
However, there are things that could be done without depending on the availability of RustSec maintainers. For example, if someone could prototype exporting to CVE (e.g. using our Github action that updates <a href="http://rustsec.org">rustsec.org</a> as a starting point), that would bring CVE assignment much closer to reality.</p>



<a name="229665767"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229665767" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229665767">(Mar 10 2021 at 14:13)</a>:</h4>
<p>By the way, I've been tackling the static linking problem in <a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a>. It's usable, what it needs is coordination with Cargo team to uplift this into Cargo nightly</p>



<a name="229666335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229666335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229666335">(Mar 10 2021 at 14:16)</a>:</h4>
<p>I'm not familiar with the static linking problem</p>



<a name="229666452"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229666452" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229666452">(Mar 10 2021 at 14:16)</a>:</h4>
<p><span class="user-mention silent" data-user-id="281739">oliver</span> <a href="#narrow/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec/near/229662073">said</a>:</p>
<blockquote>
<p>I think an issue currently is distros are packaging rust crates with known security vulns but since these aren't CVE formatted [and therefore not consumed by automated systems] the vulns aren't being tracked against the packages</p>
</blockquote>
<p>I wonder if you can point me to real-world examples of this? E.g. packages being vulnerable to this day, or packages being only updated after a CVE was assigned (RustSec vulns tend to get CVEs sporadically)?</p>



<a name="229666866"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229666866" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229666866">(Mar 10 2021 at 14:18)</a>:</h4>
<p><a href="https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2021-March/015287.html">https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2021-March/015287.html</a></p>



<a name="229667030"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229667030" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229667030">(Mar 10 2021 at 14:19)</a>:</h4>
<p>TL;DR of static linking problem: on Linux usually a single copy of every library is present as a separate file. They are linked together to run a program at runtime.<br>
Rust links all the libraries into the final executable at compile time; if there is a crate <code>foo</code> that several binaries use, every binary has a copy of crate <code>foo</code> in it. If the crate <code>foo</code> has a vulnerability, in Rust you need to recompile every binary depending on <code>foo</code>, while in proper C-on-Linux you only have to update one file and your entire system is patched.</p>



<a name="229667718"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229667718" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229667718">(Mar 10 2021 at 14:23)</a>:</h4>
<p><span class="user-mention silent" data-user-id="281739">oliver</span> <a href="#narrow/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec/near/229666866">said</a>:</p>
<blockquote>
<p><a href="https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2021-March/015287.html">https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2021-March/015287.html</a></p>
</blockquote>
<p>This is more of an example of Debian being slow rather than necessity of CVEs... The RustSec disclosure was on the 8th of January, CVE was published on the 22nd of January, and the fix was published in Debian just yesterday.</p>



<a name="229668460"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229668460" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229668460">(Mar 10 2021 at 14:26)</a>:</h4>
<p>14 days to CVE and another 46 days till the patch shipped... yikes</p>



<a name="229668568"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229668568" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229668568">(Mar 10 2021 at 14:27)</a>:</h4>
<p>Debian maintainers are volunteers and have their hands full already, CVE bridging is currently the method for assigning known vulns to existing packaged crates</p>



<a name="229668625"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229668625" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229668625">(Mar 10 2021 at 14:27)</a>:</h4>
<p>Yeah that's a recurring problem <span aria-label="stuck out tongue closed eyes" class="emoji emoji-1f61d" role="img" title="stuck out tongue closed eyes">:stuck_out_tongue_closed_eyes:</span></p>



<a name="229668838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229668838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229668838">(Mar 10 2021 at 14:28)</a>:</h4>
<p>Right, this is proof that just getting the CVEs assigned doesn't fix things. There's too many volunteers needed to do too much work.</p>
<p>We need fewer vulnerabilities to relieve the burden on folks, and we need better automation to support folks.</p>



<a name="229669522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229669522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229669522">(Mar 10 2021 at 14:32)</a>:</h4>
<p>OSV appears to have a far more structured approach to vulnerability tracking. Here's their data schema: <a href="https://osv.dev/docs/#tag/vulnerability_schema">https://osv.dev/docs/#tag/vulnerability_schema</a></p>



<a name="229673040"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229673040" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229673040">(Mar 10 2021 at 14:50)</a>:</h4>
<p>I've reached out to OSV: <a href="https://github.com/google/osv/issues/55#issuecomment-795538232">https://github.com/google/osv/issues/55#issuecomment-795538232</a></p>



<a name="229678351"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229678351" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229678351">(Mar 10 2021 at 15:17)</a>:</h4>
<p>But this is a Google project and I'm currently employed by that company, so I may be biased here.</p>



<a name="229681172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229681172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229681172">(Mar 10 2021 at 15:30)</a>:</h4>
<p><strong>To sum up:</strong> CVEs are not going to solve all the problems, but they are an improvement. If there is a way for RustSec to assign CVEs without introducing extra burden for the maintainers, it sounds a good idea to do so, but the current maintainers don't have the bandwidth to develop it from scratch.<br>
If anyone wants to help make it happen, a good starting point is prototyping a Github action that exports data in CVE-compatible format and assigns an ID based on our <a href="https://github.com/RustSec/advisory-db/tree/main/.github/workflows">existing actions</a>.</p>



<a name="229734570"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734570" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734570">(Mar 10 2021 at 20:11)</a>:</h4>
<p><span class="user-mention" data-user-id="281739">@oliver</span> I know Kurt Seifried going back to the '90s and tried to get involved in DWF having gotten a bunch of CVE assignments through him</p>



<a name="229734603"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734603" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734603">(Mar 10 2021 at 20:11)</a>:</h4>
<p>I applied to DWF on behalf of RustSec in 2017</p>



<a name="229734645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734645">(Mar 10 2021 at 20:11)</a>:</h4>
<p>never heard back and in general he went incommunicado for awhile it seems</p>



<a name="229734674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734674">(Mar 10 2021 at 20:11)</a>:</h4>
<p>(not just me, other people reported the same thing)</p>



<a name="229734705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734705">(Mar 10 2021 at 20:11)</a>:</h4>
<p>but if they're trying to reboot DWF again that sounds interesting</p>



<a name="229734911"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229734911" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229734911">(Mar 10 2021 at 20:13)</a>:</h4>
<p>re:  <a href="https://iwantacve.org/">https://iwantacve.org/</a> see <a href="https://github.com/RustSec/advisory-db/issues/20">https://github.com/RustSec/advisory-db/issues/20</a> and some people have succeeded in getting CVEs for RUSTSEC vulns that way</p>



<a name="229735043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229735043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229735043">(Mar 10 2021 at 20:13)</a>:</h4>
<p>aah, previously with DWF I did get as far as "DWF/CVE - Acceptance of MITRE Terms"</p>



<a name="229735052"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229735052" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229735052">(Mar 10 2021 at 20:13)</a>:</h4>
<p>but didn't hear back after that</p>



<a name="229735402"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229735402" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229735402">(Mar 10 2021 at 20:15)</a>:</h4>
<p>I was attempting to apply for a block of DWF addresses</p>



<a name="229735696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229735696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229735696">(Mar 10 2021 at 20:17)</a>:</h4>
<p>as it were, it seems like there are people who do routinely file CVEs for all RUSTSEC vulns but I'm still unclear who they are and it'd be great to close the loop with them</p>



<a name="229736841"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229736841" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229736841">(Mar 10 2021 at 20:23)</a>:</h4>
<p>you can find DWF in the original 2016 (non-accepted) RFC that RustSec grew out of. It was the original plan, it just didn't end up working out: <a href="https://github.com/rust-lang/rfcs/pull/1752">https://github.com/rust-lang/rfcs/pull/1752</a></p>



<a name="229737919"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229737919" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229737919">(Mar 10 2021 at 20:28)</a>:</h4>
<p>If we're applying for a range for our use anyway, it makes more sense to use CVE than DWF. The former is used far more widely.</p>



<a name="229738711"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229738711" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229738711">(Mar 10 2021 at 20:32)</a>:</h4>
<p>Back in 2016 or so, it looked like the CVE program was dying -- MITRE was getting very bad at issuing them.</p>



<a name="229738935"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229738935" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229738935">(Mar 10 2021 at 20:33)</a>:</h4>
<p>yeah like after oss-security@ stopped being the place to get OSS CVEs there was... massive confusion</p>



<a name="229739090"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229739090" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229739090">(Mar 10 2021 at 20:34)</a>:</h4>
<p>but if there's someone with a corporate CVE block filing CVEs on our behalf, I'm happy to continue with that, it'd just be nice to know who they are</p>



<a name="229739126"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229739126" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229739126">(Mar 10 2021 at 20:34)</a>:</h4>
<p>since that seems to be what's happening</p>



<a name="229739153"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229739153" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229739153">(Mar 10 2021 at 20:34)</a>:</h4>
<p>And coordinate with them to make it more timely.</p>



<a name="229913487"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229913487" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229913487">(Mar 11 2021 at 19:46)</a>:</h4>
<p>Hrmm, perhaps I should contact the CNA Coordination Team and ask about becoming a CNA: <a href="https://cve.mitre.org/cve/cna.html#become_a_cna">https://cve.mitre.org/cve/cna.html#become_a_cna</a></p>



<a name="229913689"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229913689" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229913689">(Mar 11 2021 at 19:47)</a>:</h4>
<p>~2 years ago I tried to convince MITRE that there should be an API for requesting CVEs, it never went anywhere AFAIK.</p>



<a name="229914444"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/229914444" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#229914444">(Mar 11 2021 at 19:52)</a>:</h4>
<p>I filled out the contact form</p>



<a name="230382758"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230382758" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230382758">(Mar 15 2021 at 17:02)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec/near/229673040">said</a>:</p>
<blockquote>
<p>I've reached out to OSV: <a href="https://github.com/google/osv/issues/55#issuecomment-795538232">https://github.com/google/osv/issues/55#issuecomment-795538232</a></p>
</blockquote>
<p>I have received a reply, and I'm now in touch with the OVF folks about making RustSec available in that format as well. I'll share the draft specification of the format as soon as it becomes available.</p>



<a name="230383523"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230383523" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230383523">(Mar 15 2021 at 17:07)</a>:</h4>
<p>CNA application sent to MITRE</p>



<a name="230385524"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230385524" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230385524">(Mar 15 2021 at 17:19)</a>:</h4>
<p>Do I recall correctly that CVE version specification is entirely free-form? We have a rather complex version specification that is friendly towards reporters, since it's as easy to fill out as <code>Cargo.toml</code>, but it requires rather complex resolution logic, which even the <code>rustsec</code> crate is not handling entirely correctly: <a href="https://github.com/RustSec/rustsec-crate/issues/218">https://github.com/RustSec/rustsec-crate/issues/218</a><br>
OVF early draft just has <code>(start, end)</code> version ranges, which are far easier to process than our complex rules. I wonder if we should translate the version requirements to that representation before performing the actual maching; this would also allow sane export to OVF and CVE.</p>



<a name="230411590"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230411590" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230411590">(Mar 15 2021 at 20:18)</a>:</h4>
<p>sounds good to me</p>



<a name="230411623"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230411623" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230411623">(Mar 15 2021 at 20:18)</a>:</h4>
<p>mind opening an issue or leaving a comment on <a href="https://github.com/rust-lang/rust/issues/218">#218</a>?</p>



<a name="230416461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230416461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230416461">(Mar 15 2021 at 20:52)</a>:</h4>
<p><del>I'll copy-paste this to <a href="https://github.com/rust-lang/rust/issues/218">#218</a></del></p>



<a name="230416726"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230416726" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230416726">(Mar 15 2021 at 20:54)</a>:</h4>
<p>Actually, you know what, I'll wait until the first published OVF draft before I do that</p>



<a name="230439929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230439929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230439929">(Mar 15 2021 at 23:57)</a>:</h4>
<p>Oooh, I got a reply from MITRE about CVE onboarding!</p>



<a name="230440471"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/230440471" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#230440471">(Mar 16 2021 at 00:02)</a>:</h4>
<p>yup!</p>



<a name="231338431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/231338431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#231338431">(Mar 22 2021 at 16:12)</a>:</h4>
<p>FYI, moved the meeting back 2 weeks so we can have some more discussion with the Core Team about whether or not core vulns should be in-scope or out-of-scope for our CNA</p>



<a name="232180477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232180477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232180477">(Mar 28 2021 at 17:26)</a>:</h4>
<p>re: OVF version ranges, the current doc seems to specify SemVer comparisons for version matching</p>



<a name="232180504"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232180504" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232180504">(Mar 28 2021 at 17:27)</a>:</h4>
<p>I mentioned the prerelease matching problems we have on the doc</p>



<a name="232180566"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232180566" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232180566">(Mar 28 2021 at 17:28)</a>:</h4>
<p>as far as I can tell, the only resolution suggested for that in the upstream issue on <code>semver</code> is making our own version requirement type and syntax and rules</p>



<a name="232195288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232195288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232195288">(Mar 28 2021 at 21:41)</a>:</h4>
<p>I've mentioned them too in the internal doc. We have more complicated selectors than what OVF allows - OVF only has <code>[start, end)</code> ranges while we allow complex semver-based rules like what you can write in Cargo.<br>
I think we'll need to lower our selectors to ranges to be able to export to OVF. Our ranges can be either inclusive or exclusive of the versions specified, but that can be worked around by incrementing/decrementing the version (which is possible to do even in presence of pre-releases).<br>
Once we have the version requirements lowered to ranges, rolling our own matching based on them that avoids the issues with pre-releases is very easy.</p>



<a name="232294647"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232294647" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232294647">(Mar 29 2021 at 16:19)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> here's what the public doc specifies:</p>



<a name="232294929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232294929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232294929">(Mar 29 2021 at 16:21)</a>:</h4>
<blockquote>
<p><code>SEMVER</code>: The versions <code>introduced</code> and <code>fixed</code> are semantic versions as defined by SemVer 2.0.0, with no leading “v” prefix. The relation u &lt; v denotes the precedence order defined in [section 11 of SemVer 2.0]. Ranges listed with type <code>SEMVER</code> should not overlap: since SEMVER is a strict linear ordering, it is always possible to simplify to non-overlapping ranges.</p>
</blockquote>



<a name="232295056"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295056" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295056">(Mar 29 2021 at 16:22)</a>:</h4>
<p>SemVer versions, according to the <code>semver</code> crate, do not have a strict linear ordering</p>



<a name="232295086"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295086" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295086">(Mar 29 2021 at 16:23)</a>:</h4>
<p>maybe it's misinterpreting the spec? I'm not sure, I haven't tried to language lawyer the spec</p>



<a name="232295234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295234">(Mar 29 2021 at 16:24)</a>:</h4>
<p>if you use a <code>semver</code> selector, a prerelease version is considered to match a final release</p>



<a name="232295426"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295426" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295426">(Mar 29 2021 at 16:25)</a>:</h4>
<p>if you try to bound a version range starting at <code>1.0.0</code>, it will include all <code>1.0.0-pre*</code> releases too</p>



<a name="232295543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295543">(Mar 29 2021 at 16:26)</a>:</h4>
<p>and this is the source of the ongoing problems with prereleases</p>



<a name="232295708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295708">(Mar 29 2021 at 16:27)</a>:</h4>
<p>I agree we should define simpler version requirements</p>



<a name="232295813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295813">(Mar 29 2021 at 16:28)</a>:</h4>
<p>hopefully we can do it in a backwards compatible way</p>



<a name="232295945"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232295945" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232295945">(Mar 29 2021 at 16:29)</a>:</h4>
<p>but for this same reason, whenever I use prereleases in Cargo, I <em>always</em> pin to <code>=1.0.0-pre.1</code> instead of just <code>1.0.0-pre.1</code></p>



<a name="232296081"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232296081" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232296081">(Mar 29 2021 at 16:30)</a>:</h4>
<p>because if <code>1.0.0</code> is released, and introduces any breaking changes from <code>1.0.0-pre.1</code>, all users with <code>^1.0.0-pre.1</code> will be auto-updated to <code>1.0.0</code> and their builds will break</p>



<a name="232296196"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232296196" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232296196">(Mar 29 2021 at 16:31)</a>:</h4>
<p>also <a href="https://deps.rs">https://deps.rs</a> is trying to use this data too and misflagging tons of things as vulnerable when they're not</p>



<a name="232297887"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232297887" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232297887">(Mar 29 2021 at 16:44)</a>:</h4>
<p>anyway, this is all an issue with <code>VersionReq</code>, not <code>Version</code> itself. So we can potentially build this... I did it once before</p>



<a name="232297914"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232297914" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232297914">(Mar 29 2021 at 16:44)</a>:</h4>
<p>then I had to rip it all out to upgrade <code>semver</code></p>



<a name="232298000"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298000" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298000">(Mar 29 2021 at 16:45)</a>:</h4>
<p>but then there's the much more difficult question of how to migrate</p>



<a name="232298101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298101">(Mar 29 2021 at 16:45)</a>:</h4>
<p>what I did before was compatible with existing <code>VersionReq</code> expressions</p>



<a name="232298526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298526">(Mar 29 2021 at 16:48)</a>:</h4>
<p>at this point I just want to ignore prerelease dependencies temporarily because the matching logic is broken</p>



<a name="232298575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298575">(Mar 29 2021 at 16:48)</a>:</h4>
<p>if all we're generating is false positives, that isn't helpful</p>



<a name="232298827"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298827" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298827">(Mar 29 2021 at 16:50)</a>:</h4>
<p>curious what version reqs we might have which would be incompatible with the OVF semantics</p>



<a name="232298865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232298865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232298865">(Mar 29 2021 at 16:50)</a>:</h4>
<p>and then there's the fun part of writing a linter to ensure there's no overlap in the ranges</p>



<a name="232299443"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232299443" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232299443">(Mar 29 2021 at 16:54)</a>:</h4>
<p>this seems like the sort of thorny problem that needs a planning issue along with a potential migration path</p>



<a name="232299498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232299498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232299498">(Mar 29 2021 at 16:54)</a>:</h4>
<p>(I'm also, in general, so tired of dealing with it)</p>



<a name="232308521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232308521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232308521">(Mar 29 2021 at 17:52)</a>:</h4>
<p>tl;dr: I think we can migrate to something like OVF's rules, but it's going to be a lot of work, not only to implement, but to migrate all of the existing vulnerabilities to be compatible</p>



<a name="232309645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232309645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232309645">(Mar 29 2021 at 17:59)</a>:</h4>
<p>and the more I think about it, the more it seems like it will just need a completely new schema for versions</p>



<a name="232310721"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232310721" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232310721">(Mar 29 2021 at 18:07)</a>:</h4>
<p>unless anyone can think of a "clever" solution, I think we'd need to add the new scheme side-by-side with the old scheme, wait until all clients have updated, and then write some sort of migration tool and do a hard cutover</p>



<a name="232364172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232364172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232364172">(Mar 30 2021 at 02:27)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> matching and ordering are two different things for SemVer 2.0, and the ordering rules are far simpler.  The spec calls it "precedence" and I believe the <code>semver</code> crate already implements it according to the spec: <a href="https://semver.org/#spec-item-11">https://semver.org/#spec-item-11</a></p>



<a name="232364273"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232364273" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232364273">(Mar 30 2021 at 02:29)</a>:</h4>
<p>Our problem was that using the semver versions requirement such as "1.0" to specify a range was behaving in a weird way, but if we're lowering those requirements to ranges anyway we don't have to use the semver crate matching logic, we can  just use the ranges we generated</p>



<a name="232424231"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424231" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424231">(Mar 30 2021 at 13:24)</a>:</h4>
<p>the problem is we have a living system spec'd in terms of <code>VersionReq</code>s</p>



<a name="232424321"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424321" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424321">(Mar 30 2021 at 13:24)</a>:</h4>
<p>we'd need to effectively parse those and "zip" them together</p>



<a name="232424444"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424444" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424444">(Mar 30 2021 at 13:25)</a>:</h4>
<p><code>versions.patched</code> and <code>versions.unaffected</code>, that is</p>



<a name="232424561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424561">(Mar 30 2021 at 13:26)</a>:</h4>
<p>also transforming the complex <code>VersionReq</code> expressions into those exclusive range expressions</p>



<a name="232424579"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424579" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424579">(Mar 30 2021 at 13:26)</a>:</h4>
<p>then lint the whole thing to ensure there are no overlapping ranges</p>



<a name="232424696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424696">(Mar 30 2021 at 13:27)</a>:</h4>
<p>and then go through any advisories that use overly complex rules which whatever tool we write to do ^^^ fails to work on</p>



<a name="232424744"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232424744" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232424744">(Mar 30 2021 at 13:27)</a>:</h4>
<p>I'm not saying it isn't possible. I'm saying that's gonna be a ton of work</p>



<a name="232601353"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232601353" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232601353">(Mar 31 2021 at 14:30)</a>:</h4>
<p>I have already braced myself for writing that logic, but if you feel it'd be better to switch to the OVF-style system, I can't argue with that</p>



<a name="232626763"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232626763" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232626763">(Mar 31 2021 at 16:56)</a>:</h4>
<p>I think either way we need to write that logic, to implement OVF and/or automate a migration, unless someone is really keen on doing it by hand</p>



<a name="232626804"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/232626804" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#232626804">(Mar 31 2021 at 16:57)</a>:</h4>
<p>but overall I think it would make sense to migrate</p>



<a name="233633256"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/233633256" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#233633256">(Apr 08 2021 at 10:48)</a>:</h4>
<p>might be of interest: <a href="https://lwn.net/SubscriberLink/851849/f8cf36ef115ea090/">https://lwn.net/SubscriberLink/851849/f8cf36ef115ea090/</a></p>



<a name="233758893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/233758893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#233758893">(Apr 09 2021 at 02:21)</a>:</h4>
<p>yeah someone mentioned that, and that's what brought up that MITRE has a new like... awesome-seeming CNA process</p>



<a name="240509732"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240509732" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240509732">(May 27 2021 at 18:21)</a>:</h4>
<p>well I guess <code>semver</code> 1.0.0 has shipped, without addressing any of the issues with <code>VersionReq</code>. but it was already de facto 1.0 anyway due to use in <code>cargo</code> so c'est la vie</p>



<a name="240509798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240509798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240509798">(May 27 2021 at 18:21)</a>:</h4>
<p>one of them seems like a bug in the SemVer spec, another in how <code>VersionReq</code> handles prereleases</p>



<a name="240509876"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240509876" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240509876">(May 27 2021 at 18:22)</a>:</h4>
<p>re: the former, the SemVer spec seems pretty badly written</p>



<a name="240509898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240509898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240509898">(May 27 2021 at 18:22)</a>:</h4>
<p>anyway, migrating away from <code>VersionReq</code> sounds like a great idea to me</p>



<a name="240509992"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240509992" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240509992">(May 27 2021 at 18:23)</a>:</h4>
<p>I released <code>cargo-lock</code> v7.0.0 (might've gone 1.0 a bit early on that one) which uses <code>semver</code> v1.0.0</p>



<a name="240510005"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240510005" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240510005">(May 27 2021 at 18:23)</a>:</h4>
<p>might impact your work there <span class="user-mention" data-user-id="127617">@Shnatsel</span></p>



<a name="240511216"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240511216" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240511216">(May 27 2021 at 18:33)</a>:</h4>
<p>SemVer crate 1.0 is actually good news for OSV export because they have exposed the fields that were previously private. I had to fork semver 0.11 to get to them, but it seems that in 1.0 it's no longer necessary.</p>



<a name="240511242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240511242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240511242">(May 27 2021 at 18:33)</a>:</h4>
<p>Also, proper handling of pre-releases will likely be a side effect of OSV export implementation.</p>



<a name="240511628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240511628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240511628">(May 27 2021 at 18:36)</a>:</h4>
<p>yeah, I've checked that version comparators look good. it's just the interpretation of <code>VersionReq</code> that's... weird</p>



<a name="240511978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240511978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240511978">(May 27 2021 at 18:39)</a>:</h4>
<p><a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=b74ac8bd1d75d4366c81d57d755c934e">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2018&amp;gist=b74ac8bd1d75d4366c81d57d755c934e</a></p>



<a name="240512024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512024">(May 27 2021 at 18:40)</a>:</h4>
<p><code>2.0.0-rc.0</code> and <code>^2.0.0-rc.0</code> are interpreted as: <code>&gt;=2.0.0-rc.0, &lt;3.0.0</code></p>



<a name="240512195"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512195" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512195">(May 27 2021 at 18:41)</a>:</h4>
<p>per the SemVer spec I think that should be: <code>&gt;=2.0.0-rc.0, &lt;2.0.0</code></p>



<a name="240512463"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512463" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512463">(May 27 2021 at 18:43)</a>:</h4>
<p>That seems to be distinct from that bug about pre-release handling that you've filed. Could you file another bug about this?</p>



<a name="240512651"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512651" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512651">(May 27 2021 at 18:44)</a>:</h4>
<p>Is there a reference implementation of the spec? If yes, then we can use differential fuzzing to find these discrepancies</p>



<a name="240512652"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512652" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512652">(May 27 2021 at 18:44)</a>:</h4>
<p>I did and it was closed: <a href="https://github.com/dtolnay/semver/issues/236#issuecomment-848257031">https://github.com/dtolnay/semver/issues/236#issuecomment-848257031</a></p>
<p>But again I feel <code>semver</code> has been de-facto 1.0.0 for years because of Cargo</p>



<a name="240512752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512752">(May 27 2021 at 18:45)</a>:</h4>
<p>I also wrote a rant about how the SemVer spec for prereleases is bad: <a href="https://github.com/dtolnay/semver/issues/172#issuecomment-848260770">https://github.com/dtolnay/semver/issues/172#issuecomment-848260770</a></p>



<a name="240512785"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512785" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512785">(May 27 2021 at 18:45)</a>:</h4>
<p>but I do agree the <code>semver</code> crate implements the spec correctly. it's just the spec is wrong</p>



<a name="240512795"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512795" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512795">(May 27 2021 at 18:45)</a>:</h4>
<p>and as someone who implements specs a lot, c'est la vie</p>



<a name="240512899"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512899" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512899">(May 27 2021 at 18:46)</a>:</h4>
<p>the spec seems to be discussing a sort of boundary condition between prereleases and the non-prerelease versions they're adjacent to</p>



<a name="240512923"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512923" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512923">(May 27 2021 at 18:46)</a>:</h4>
<p>Yikes, that rant does ring true.</p>



<a name="240512975"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240512975" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240512975">(May 27 2021 at 18:46)</a>:</h4>
<p>but the way it's worded, that boundary condition seems to have unintended consequences for unrelated versions. it's almost this sort of "banded" incongruity where there are holes in the logic</p>



<a name="240513032"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513032" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513032">(May 27 2021 at 18:47)</a>:</h4>
<p>anyway, I'm totally on board for migrating away from <code>VersionReq</code> <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="240513232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513232">(May 27 2021 at 18:48)</a>:</h4>
<p>So far I've been assuming that the TOML format will be unchanged, and just transforming those <code>VersionReq</code>s into <code>[start; end)</code> ranges that are trivial to match against following semver precedence rules, which seem to be simpler and not quite as messed up as selectors in terms of pre-release handling</p>



<a name="240513256"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513256" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513256">(May 27 2021 at 18:49)</a>:</h4>
<p>that's cool</p>



<a name="240513274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513274">(May 27 2021 at 18:49)</a>:</h4>
<p>I think we can eventually migrate the TOML format</p>



<a name="240513297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513297">(May 27 2021 at 18:49)</a>:</h4>
<p>possibly as part of a "1.0 stabilization" of it</p>



<a name="240513334"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513334" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513334">(May 27 2021 at 18:49)</a>:</h4>
<p>I thought we already shipped 1.0... <span aria-label="laughing" class="emoji emoji-1f606" role="img" title="laughing">:laughing:</span></p>



<a name="240513371"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513371" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513371">(May 27 2021 at 18:49)</a>:</h4>
<p>We can even use the <code>[start; end)</code> ranges internally for matching, which bypasses the problem with pre-releases</p>



<a name="240513374"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513374" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513374">(May 27 2021 at 18:49)</a>:</h4>
<p>as for as internal informal versions go, I'd call it "V3"</p>



<a name="240513453"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513453" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513453">(May 27 2021 at 18:50)</a>:</h4>
<p>but uhh, I'd like to freeze the format spec and ship a v1.0 of the <code>rustsec</code> crate</p>



<a name="240513587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513587">(May 27 2021 at 18:51)</a>:</h4>
<p>The entire point of the <code>list-affected-versions</code> subcommand (<a href="https://github.com/RustSec/rustsec/pull/373">https://github.com/RustSec/rustsec/pull/373</a>) is being able to change the matching logic and ensure I don't introduce any regressions when doing so</p>



<a name="240513651"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513651" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513651">(May 27 2021 at 18:51)</a>:</h4>
<p>yeah all of the previous format upgrades have been backwards compatible</p>



<a name="240513667"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513667" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513667">(May 27 2021 at 18:52)</a>:</h4>
<p>up to a particular version</p>



<a name="240513749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513749">(May 27 2021 at 18:52)</a>:</h4>
<p>it's been ship a version that supports both the old and new format, wait 6 months - 1 year, then transition the database</p>



<a name="240513767"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513767" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513767">(May 27 2021 at 18:52)</a>:</h4>
<p>but there are clients not using the <code>rustsec</code> crate</p>



<a name="240513943"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240513943" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240513943">(May 27 2021 at 18:53)</a>:</h4>
<p>I am tempted to just use the OSV ranges for matching so that if there's a bug in OSV exported data we also see it in <code>cargo-audit</code> and there's only ever a single matching logic in play. But I'm not sure if I'm taking it too far here. There <em>is</em> an intermediate representation with ranges that can have each bound as either inclusive or exclusive and we could match on that instead of <code>[start; end)</code> OSV ranges if you prefer.</p>



<a name="240514241"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240514241" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240514241">(May 27 2021 at 18:55)</a>:</h4>
<p>I defer that decision to you because I'm paid to add OSV support and I might have a bit of conflict of interest here.</p>



<a name="240525477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/240525477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#240525477">(May 27 2021 at 20:19)</a>:</h4>
<p>I think we should get to OSV ranges internally, and then migrate the TOML format to suit</p>



<a name="241337108"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241337108" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Darakian <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241337108">(Jun 03 2021 at 00:40)</a>:</h4>
<p>on the CVE topic; github does give out CVEs for open source projects. I know this is limited to code hosted on github, but it's something<br>
<a href="https://docs.github.com/en/code-security/security-advisories/publishing-a-security-advisory#requesting-a-cve-identification-number">https://docs.github.com/en/code-security/security-advisories/publishing-a-security-advisory#requesting-a-cve-identification-number</a></p>



<a name="241337507"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241337507" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241337507">(Jun 03 2021 at 00:48)</a>:</h4>
<p>We're aware of that. Some of this discussion came up because that's what the core team normally uses for CVE assignments and they were having some problems with that</p>



<a name="241339299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241339299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Darakian <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241339299">(Jun 03 2021 at 01:22)</a>:</h4>
<p>Ah, apologies for the redundancy. What issues are you running into?</p>



<a name="241339930"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241339930" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241339930">(Jun 03 2021 at 01:34)</a>:</h4>
<p>I'm merely relaying the concerns of others here</p>



<a name="241340710"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340710" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340710">(Jun 03 2021 at 01:50)</a>:</h4>
<p>for our purposes, we really need on-demand ID assgnment, or that would really complicate our workflow, which is already somewhat complicated and difficult to maintain</p>



<a name="241340746"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340746" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340746">(Jun 03 2021 at 01:51)</a>:</h4>
<p>the use of a distinguished identifier namespace is because of a long history of problems with integrating with external databases in the RubySec project, whcih is a big inspiration for the general shape of this project</p>



<a name="241340793"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340793" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340793">(Jun 03 2021 at 01:52)</a>:</h4>
<p>RubySec got along for quite some time wiht oss-security@-assigned CVEs</p>



<a name="241340795"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340795" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340795">(Jun 03 2021 at 01:52)</a>:</h4>
<p>then that went away</p>



<a name="241340797"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340797" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340797">(Jun 03 2021 at 01:52)</a>:</h4>
<p>and we tried to migrate to OSSEC</p>



<a name="241340798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340798">(Jun 03 2021 at 01:52)</a>:</h4>
<p>and then that went away</p>



<a name="241340814"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340814" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340814">(Jun 03 2021 at 01:52)</a>:</h4>
<p>RustSec tried to use DWF in ~2017</p>



<a name="241340815"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340815" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340815">(Jun 03 2021 at 01:52)</a>:</h4>
<p>and that went away</p>



<a name="241340832"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340832" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340832">(Jun 03 2021 at 01:53)</a>:</h4>
<p>so there's something of a sordid history here</p>



<a name="241340843"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340843" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340843">(Jun 03 2021 at 01:53)</a>:</h4>
<p>I think it'd be great if RustSec could migrate to CVEs</p>



<a name="241340860"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340860" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340860">(Jun 03 2021 at 01:53)</a>:</h4>
<p>but I am very wary of building on quicksand, as that's been a gotcha for me many, many, many times in the past</p>



<a name="241340910"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241340910" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241340910">(Jun 03 2021 at 01:54)</a>:</h4>
<p>if Rust Core is expressing concerns with the GitHub CVE assignment process, well, color me wary</p>



<a name="241348769"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241348769" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241348769">(Jun 03 2021 at 05:02)</a>:</h4>
<p>well <span class="user-mention" data-user-id="127617">@Shnatsel</span>, you're officially in charge of everything relating to advisory version matching</p>



<a name="241348774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241348774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241348774">(Jun 03 2021 at 05:02)</a>:</h4>
<p>I'm burnt out</p>



<a name="241348786"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241348786" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241348786">(Jun 03 2021 at 05:03)</a>:</h4>
<p>I want nothing to do with the <code>semver</code> crate ever again</p>



<a name="241348967"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241348967" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241348967">(Jun 03 2021 at 05:06)</a>:</h4>
<p>this has been a multi-year battle of me trying to get anyone to even recognize there was a problem, only to have the problem, reported by others who agreed with me, unceremoniously closed and the thread locked, and my opinion pronounced wrong</p>



<a name="241348980"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241348980" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241348980">(Jun 03 2021 at 05:07)</a>:</h4>
<p>perhaps I should just stop doing RustSec</p>



<a name="241349111"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349111" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349111">(Jun 03 2021 at 05:10)</a>:</h4>
<p>things that induce burnout: dozens of issues, ill-content users, and various people complaining that things are broken, and I agree. and I try to take things upstream, only to be gaslit and told that the spec makes sense, I am wrong, issue locked, no further discussion.</p>



<a name="241349115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349115">(Jun 03 2021 at 05:10)</a>:</h4>
<p>this is obviously not working</p>



<a name="241349118"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349118" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349118">(Jun 03 2021 at 05:10)</a>:</h4>
<p>perhaps I should quit</p>



<a name="241349578"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349578" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349578">(Jun 03 2021 at 05:20)</a>:</h4>
<p>Have you brought up the versionreq issue with <a href="https://github.com/semver/semver">https://github.com/semver/semver</a> ? dtolnay mentioned in that issue you linked that the crate is performing according to the spec, so it seems like the next place to go would be to try changing the spec and see what provisions can be made for the security / patching use case</p>



<a name="241349737"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349737" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349737">(Jun 03 2021 at 05:24)</a>:</h4>
<p>hm, i think its plausible that the behavior for version resolution and for security advisory just are different enough that this doesn't align. that's to say, i kind of... think the spec's behavior makes sense for its use case.</p>



<a name="241349768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349768">(Jun 03 2021 at 05:25)</a>:</h4>
<p>but i agree its probably worth it for someone to bring it up regardless (althouhg i can sympathize with running out of give-a-fucks about a particular issue)</p>



<a name="241349950"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349950" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349950">(Jun 03 2021 at 05:29)</a>:</h4>
<p>If one grants that "security version ranges" are not the same as "semver version ranges", then what can be done about the <code>cargo audit fix</code> problem mentioned <a href="https://github.com/dtolnay/semver/issues/172#issuecomment-699513786">here</a>? Does cargo need to support some alternative version range syntax for security ranges?</p>



<a name="241349958"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241349958" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241349958">(Jun 03 2021 at 05:29)</a>:</h4>
<p>Like what even is the desired end state?</p>



<a name="241350079"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350079" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350079">(Jun 03 2021 at 05:32)</a>:</h4>
<p>Apparently the <code>Ord</code> instance for <code>Version</code> is different from <code>VersionReq</code>, but I don't know if <code>Version</code> ranges can be explicitly specified in a cargo.toml file</p>



<a name="241350091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350091">(Jun 03 2021 at 05:32)</a>:</h4>
<p><a href="https://github.com/dtolnay/semver/issues/172">https://github.com/dtolnay/semver/issues/172</a></p>



<a name="241350102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350102">(Jun 03 2021 at 05:33)</a>:</h4>
<p><a href="https://github.com/dtolnay/semver/issues/236">https://github.com/dtolnay/semver/issues/236</a></p>



<a name="241350119"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350119" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350119">(Jun 03 2021 at 05:34)</a>:</h4>
<p>I don't know what to do from here but I kind of want to "retire" from RustSec</p>



<a name="241350197"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350197" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350197">(Jun 03 2021 at 05:35)</a>:</h4>
<p>it's too much to deal with downstream users complaining about a behavior in a dependency whose upstream mainstainers not only insist isn't a bug but lock the threads and suggest that if I even think it's a bug I'm the problem</p>



<a name="241350212"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350212" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350212">(Jun 03 2021 at 05:35)</a>:</h4>
<p>I have enough else going on in my life I just can't deal with this</p>



<a name="241350287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350287">(Jun 03 2021 at 05:36)</a>:</h4>
<p>It seems the issue here is that semver ranges are being used for two things (security/patching and API versioning) and they have different requirements. Rather than trying to change from one to the other, what are the options for supporting both?</p>



<a name="241350306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350306">(Jun 03 2021 at 05:37)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> is trying to rewrite how version comparisons are handled</p>



<a name="241350313"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350313" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350313">(Jun 03 2021 at 05:37)</a>:</h4>
<p>I am so burned out on this I can't even describe it</p>



<a name="241350329"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350329" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350329">(Jun 03 2021 at 05:37)</a>:</h4>
<p>but yeah I think I'm done</p>



<a name="241350379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350379">(Jun 03 2021 at 05:38)</a>:</h4>
<p>I've just been trying to relate the problems of downstream users for 5 years</p>



<a name="241350395"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350395" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350395">(Jun 03 2021 at 05:38)</a>:</h4>
<p>discover it's apparently brokenness in the spec, finally, after all that time, after so many open issues and people complaining</p>



<a name="241350398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350398">(Jun 03 2021 at 05:39)</a>:</h4>
<p>I think I've finally cracked the case</p>



<a name="241350401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350401">(Jun 03 2021 at 05:39)</a>:</h4>
<p>closed</p>



<a name="241350402"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350402" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350402">(Jun 03 2021 at 05:39)</a>:</h4>
<p>locked</p>



<a name="241350406"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350406" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350406">(Jun 03 2021 at 05:39)</a>:</h4>
<p>you're crazy</p>



<a name="241350407"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350407" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350407">(Jun 03 2021 at 05:39)</a>:</h4>
<p>Sorry for bringing up a sore subject, I know what it's like to fight the good fight and get cut down at the end</p>



<a name="241350432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350432">(Jun 03 2021 at 05:39)</a>:</h4>
<p>I'm just like... done</p>



<a name="241350436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350436">(Jun 03 2021 at 05:39)</a>:</h4>
<p>I'm tired of this</p>



<a name="241350512"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350512" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350512">(Jun 03 2021 at 05:41)</a>:</h4>
<p>as a rough estimate I've spent hundreds of hours on this</p>



<a name="241350514"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350514" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350514">(Jun 03 2021 at 05:41)</a>:</h4>
<p>no more</p>



<a name="241350530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350530">(Jun 03 2021 at 05:42)</a>:</h4>
<p>I wrote workarounds and deleted them because <code>semver</code> crate upgrades broke the workarounds and I wanted to upgrade</p>



<a name="241350580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350580">(Jun 03 2021 at 05:42)</a>:</h4>
<p>now it's 1.0 and the brokenness is baked in and unfixable and I am told I have no place to even complain and the thread is locked</p>



<a name="241350601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350601">(Jun 03 2021 at 05:43)</a>:</h4>
<p>and to add insult to injury</p>



<a name="241350606"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350606" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350606">(Jun 03 2021 at 05:43)</a>:</h4>
<blockquote>
<p>especially not about deliberate and sensible features of the spec.</p>
</blockquote>



<a name="241350648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350648">(Jun 03 2021 at 05:44)</a>:</h4>
<p>logging out of this Zulip</p>



<a name="241350650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241350650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241350650">(Jun 03 2021 at 05:44)</a>:</h4>
<p>bye</p>



<a name="241361357"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241361357" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241361357">(Jun 03 2021 at 08:27)</a>:</h4>
<p>Started an internals discussion here: <a href="https://internals.rust-lang.org/t/changing-cargo-semver-compatibility-for-pre-releases/14820">https://internals.rust-lang.org/t/changing-cargo-semver-compatibility-for-pre-releases/14820</a></p>



<a name="241370285"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241370285" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241370285">(Jun 03 2021 at 10:04)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> sure, I'll take care of fixing version matching. The direction looks is promising so far, and should be possible with <code>semver</code> 1.0 structures only, not methods, so they won't even be able to break it.</p>



<a name="241370396"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241370396" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241370396">(Jun 03 2021 at 10:05)</a>:</h4>
<p>But it's possible that Cargo-like version selection and RustSec version matching are sufficiently different use cases that they really do require different logic.</p>



<a name="241370583"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241370583" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241370583">(Jun 03 2021 at 10:07)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> feel free to take a break from RustSec</p>



<a name="241575576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241575576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241575576">(Jun 04 2021 at 18:29)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> I've fixed pre-release handling <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span> <br>
It's already published in the OSV branch. It does not handle all possible selectors, but it does handle everything actually used in RustSec database. The results are identical to the old logic, sans the handling of pre-releases.<br>
There is an added requirement that the ranges must not overlap, but that's a good thing - it made me find some incorrectly defined version specs in the current DB.</p>



<a name="241575664"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241575664" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241575664">(Jun 04 2021 at 18:30)</a>:</h4>
<p>Fixes for overlaps are up, I'd appreciate if someone could double-check that they make sense: <a href="https://github.com/RustSec/advisory-db/pull/930">https://github.com/RustSec/advisory-db/pull/930</a></p>



<a name="241595217"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241595217" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241595217">(Jun 04 2021 at 21:26)</a>:</h4>
<p>Merged, thanks to Alex for reviewing</p>



<a name="241595551"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241595551" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241595551">(Jun 04 2021 at 21:31)</a>:</h4>
<p>No problem!</p>



<a name="241847564"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241847564" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241847564">(Jun 07 2021 at 22:04)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> nice. seems like <a href="http://deps.rs">deps.rs</a> could also benefit from that sort of prerelease handling...</p>



<a name="241847763"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241847763" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241847763">(Jun 07 2021 at 22:06)</a>:</h4>
<p><a href="/user_uploads/4715/rUOrMMnOCWegl5E0BYALuBNx/Screen-Shot-2021-06-07-at-3.05.52-PM.png">Screen-Shot-2021-06-07-at-3.05.52-PM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/rUOrMMnOCWegl5E0BYALuBNx/Screen-Shot-2021-06-07-at-3.05.52-PM.png" title="Screen-Shot-2021-06-07-at-3.05.52-PM.png"><img src="/user_uploads/4715/rUOrMMnOCWegl5E0BYALuBNx/Screen-Shot-2021-06-07-at-3.05.52-PM.png"></a></div>



<a name="241847779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241847779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241847779">(Jun 07 2021 at 22:06)</a>:</h4>
<p>^^^ same problem</p>



<a name="241847882"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241847882" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241847882">(Jun 07 2021 at 22:07)</a>:</h4>
<p>Huh. Did they use version selectors internally or something? I believe the precedence rules alone, without selectors, are sufficient for this use case. And <code>Ord</code> (or was it <code>PartialOrd</code>?) implementation on <code>semver::Version</code> should implement the precedence rules from the semver spec.</p>



<a name="241847977"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241847977" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241847977">(Jun 07 2021 at 22:08)</a>:</h4>
<p>I'm also not confident that this problem has the same cause. It would be weird if <a href="http://deps.rs">deps.rs</a> used selectors internally, it's more likely that they manually discard pre-release versions</p>



<a name="241848070"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241848070" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241848070">(Jun 07 2021 at 22:09)</a>:</h4>
<p>I'd check the code but I'm all out of spoons after writing an article for most of the evening. Feedback is very welcome, by the way:<br>
<a href="https://docs.google.com/document/d/1NoJLABjQOdTaGu9CmaosgfJeAxcFGdzCwCShJsDolaQ/edit">https://docs.google.com/document/d/1NoJLABjQOdTaGu9CmaosgfJeAxcFGdzCwCShJsDolaQ/edit#</a></p>



<a name="241849569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849569">(Jun 07 2021 at 22:26)</a>:</h4>
<p>they're also parsing a <code>VersionReq</code></p>



<a name="241849576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849576">(Jun 07 2021 at 22:26)</a>:</h4>
<p>it's coming from a <code>Cargo.toml</code> after all</p>



<a name="241849601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849601">(Jun 07 2021 at 22:26)</a>:</h4>
<p>at least in our case we can avoid that, but they can't</p>



<a name="241849654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849654">(Jun 07 2021 at 22:27)</a>:</h4>
<p>the best they can do is provide their own <code>VersionReq</code>-alike parser which provides the matching rules they need</p>



<a name="241849678"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849678" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849678">(Jun 07 2021 at 22:27)</a>:</h4>
<p>...which sounds like what you wrote?</p>



<a name="241849997"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241849997" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241849997">(Jun 07 2021 at 22:31)</a>:</h4>
<p>Yeah that's pretty much what I wrote.</p>



<a name="241850355"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241850355" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241850355">(Jun 07 2021 at 22:35)</a>:</h4>
<p>not suggesting we try to extract that into a crate or anything. if anything I'd like to get away from <code>VersionReq</code> entirely, even at a syntactic level, and switch to something that looks more like OSV's ranges, but</p>



<a name="241850404"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241850404" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241850404">(Jun 07 2021 at 22:36)</a>:</h4>
<p>if there's an open issue for <a href="http://deps.rs">deps.rs</a>, it might be worth pointing them at your implementation</p>



<a name="241850406"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241850406" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241850406">(Jun 07 2021 at 22:36)</a>:</h4>
<p>maybe they can do something similar</p>



<a name="241850695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241850695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241850695">(Jun 07 2021 at 22:40)</a>:</h4>
<p>It could be extracted, actually. Not the OSV ranges, but the ranges that can have both bounds as inclusive or exclusive. They are used only as an intermediate representation in rustsec crate right now.</p>



<a name="241850785"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241850785" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241850785">(Jun 07 2021 at 22:41)</a>:</h4>
<p>As of right now, the algorithm is somewhat simplified compared to the full-blown Cargo version selection spec, but it could be improved to cover the entire thing.</p>



<a name="241853853"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241853853" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241853853">(Jun 07 2021 at 23:22)</a>:</h4>
<p>I don't want to try to fix everything semver-related all at once, that's the road to burnout. I'll do one thing at a time.</p>



<a name="241854269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241854269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241854269">(Jun 07 2021 at 23:27)</a>:</h4>
<p>yeah, that's why I was suggesting just giving the <a href="http://deps.rs">deps.rs</a> people breadcrumbs</p>



<a name="241854329"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241854329" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241854329">(Jun 07 2021 at 23:28)</a>:</h4>
<p>because we're not the only ones dealing with this... SemVer design flaw</p>



<a name="241854516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241854516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241854516">(Jun 07 2021 at 23:30)</a>:</h4>
<p>it was at least nice to see some sort of consensus that the interpretation of prereleases in Cargo.toml could be more restrictive</p>



<a name="241998119"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241998119" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241998119">(Jun 08 2021 at 22:55)</a>:</h4>
<p>HOLY VEHK MY OSV EXPORT CODE WORKED ON THE FIRST TRY</p>



<a name="241998207"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241998207" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241998207">(Jun 08 2021 at 22:56)</a>:</h4>
<p>Truly, if it compiles, it works. All hail this pile of newtypes</p>



<a name="241998237"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/241998237" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#241998237">(Jun 08 2021 at 22:56)</a>:</h4>
<p>The entire export operation takes 200ms end to end.</p>



<a name="242001758"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242001758" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242001758">(Jun 08 2021 at 23:46)</a>:</h4>
<p><a href="/user_uploads/4715/td8z2c_rY99hvwsHRQjZPKAs/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/td8z2c_rY99hvwsHRQjZPKAs/image.png" title="image.png"><img src="/user_uploads/4715/td8z2c_rY99hvwsHRQjZPKAs/image.png"></a></div>



<a name="242003780"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242003780" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242003780">(Jun 09 2021 at 00:16)</a>:</h4>
<p>Is that yours? Now I want one</p>



<a name="242006632"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242006632" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242006632">(Jun 09 2021 at 01:03)</a>:</h4>
<p>nah, just think they're funny, heh</p>



<a name="242391079"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242391079" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242391079">(Jun 11 2021 at 19:16)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> do you think OSV addition and the change in matching logic should require an API break? I'm adding more validation on the range specification, so something that was previously accepted no longer will be. And there used to be a few nonsensical version specifications in the DB that eluded human review, so it would actually fail on older versions of the DB too.</p>



<a name="242391111"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242391111" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242391111">(Jun 11 2021 at 19:17)</a>:</h4>
<p>we don't really need to worry about older versions of the DB</p>



<a name="242391414"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242391414" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242391414">(Jun 11 2021 at 19:20)</a>:</h4>
<p>I'm asking because there is this minor API wart I'm introducing to avoid an API break. Minor as in: <code>Versions</code> newtype has public fields that can be mutated, and I want to use it to enforce certain invariants. Deserialization would enforce them but you could still mutate it and cause a panic at runtime if you violate the invariants. If I didn't want to keep the API the same I'd make those fields private and add read-only accessors, plus a validated <code>new()</code> function.<br>
So far it looks like the API break is not necessary and I'd prefer to avoid it for now so that people would get the matching fix, but I'd appreciate a second opinion</p>



<a name="242396154"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242396154" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242396154">(Jun 11 2021 at 20:03)</a>:</h4>
<p>Code in question for context: <a href="https://github.com/Shnatsel/rustsec/blob/26f821f9ce99b028264eaff50bf1dca18786bd51/rustsec/src/advisory/versions.rs#L14">https://github.com/Shnatsel/rustsec/blob/26f821f9ce99b028264eaff50bf1dca18786bd51/rustsec/src/advisory/versions.rs#L14</a></p>



<a name="242406163"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/CVE%20assignment%20by%20RustSec/near/242406163" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/CVE.20assignment.20by.20RustSec.html#242406163">(Jun 11 2021 at 21:31)</a>:</h4>
<p>a breaking change is fine as well</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>